RBAC use least privilege by default
What is the issue
By default when rbac.create
is set to true, roles.yaml is using *
in resources
and verbs
. If cluster is rbac-enabled this will lead to issues with deployment because it will try to grant more privileges than user running deployment.
Least privileges are named in values.yaml file, but they are commented.
How to reproduce
Try to run helm with rbac.create=true
from user with less privileges than *
.
How to fix
If is possible to fix just by setting rbac.resources
and rbac.verbs
during deployment, but I think using least privileges should be default behavior and *
should be an option for user to be explicit set.
It's good security practice to use least privileges by default, not greatest.